b"MEMORANDUM\n\nTO             :      A. Lee Fritschler\n                      Assistant Secretary\n                      Office of Postsecondary Education\n\nFROM           :      Mary Mitchelson\n                      Assistant Inspector General\n                      Analysis and Inspection Services\n\nSUBJECT        :      Results of the OIG Review of OPE's Internal Controls Over the\n                      Procurement of Goods and Services (A&I 2000-013)\n\n\nINTRODUCTION\n\nThis is our report of our review of the Office of Postsecondary Education\xe2\x80\x99s (OPE)\ninternal controls over the procurement of goods and services. This review is part of our\nDepartment-wide review of this area. The Department\xe2\x80\x99s management is responsible for\nestablishing and maintaining internal controls. We will transmit the Department-wide\nresults to the Deputy Secretary with copies to the Assistant Secretaries and other senior\nstaff when we complete our review. On September 7, 2000, Office of Inspector General\n(OIG) staff met with you, Francine Picoult, Humphrey Barnes and Yvonne Navalaney to\ndiscuss the results of this review.\n\nRESULTS\n\nDuring our review of OPE, we identified instances of noncompliance with the Prompt\nPayment Act. We found 15 invoices that appear to not have been paid timely as required\nby the Act.\n\nWe also identified certain deficiencies, in addition to the above instances of\nnoncompliance, that prevent OPE from satisfying the General Accounting Office\xe2\x80\x99s\n(GAO) Standards for Internal Control in the Federal Government. For your information\nand corrective action, we have listed those deficiencies in the attached chart (Attachment\nA). In the future, we anticipate conducting a follow-up review to assess the actions you\nhave taken to satisfy GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government.\n\nIn addition, we want to advise you and OPE managers of inherent vulnerabilities we\nidentified in two Department procurement systems.\n\x0c\xc3\xbc Purchase Cards \xe2\x80\x93 For efficiency, the Department designed a purchase card system\n  where cardholders can order, receive and approve payments for goods and services.\n  Consequently, as a control, the Department established approving officials to review\n  the use of purchase cards. Therefore, it is important that approving officials properly\n  review all cardholder statements, including invoices, before forwarding them to the\n  Office of the Chief Financial Officer for payment.\n\n\xc3\xbc Third Party Drafts (TPDs) \xe2\x80\x93 An individual with signature authority can issue Third\n  Party Drafts without the involvement of anyone else. Therefore, it is important that,\n  at a minimum, the supervisor of the individual with signature authority conduct\n  periodic reviews of drafts issued.\n\nDuring our review, we noted that one staff member assigned a purchase card is below the\ngrade level (GS-9) required to receive annual ethics training. Because of the employee\xe2\x80\x99s\nprocurement responsibilities, ethics training would be beneficial to this staff member.\nManagement should require all procurement staff to attend annual ethics training.\n\nOTHER MATTERS\n\nWe were informed that in the past some supervisors were using their staff members\xe2\x80\x99\npurchase cards. During our testing, we noted two transactions that indicated someone\nother than the cardholder had initiated the transaction. The Executive Office staff\ninformed us that they were aware of the noncompliance and had informed those involved\nto discontinue the practice. It appears that OPE has taken the necessary corrective action\nto resolve the noncompliance with Department policy regarding the sharing of purchase\ncards.\n\nAs described in the scope and methodology section of this report, some drafts issued by\nStudent Financial Assistance (SFA) are assigned OPE organization codes and thus listed\non OPE\xe2\x80\x99s reports of Third Party Draft activity. OPE should work with SFA and OCFO\nto ensure that only drafts issued by OPE are listed on OPE\xe2\x80\x99s reports. In addition, some\nSFA and OPE cardholders are listed in OCFO records under the wrong office. OPE\nshould work with SFA and OCFO to correct the records.\n\nOBJECTIVE\n\nOur review objective was to assess the internal controls to ensure compliance with laws\nand regulations for the procurement of goods and services other than studies or\nevaluations.\n\nSCOPE\n\nWe limited our work to procurements in Washington, D.C. (Headquarters) using TPDs\nand purchase cards. We did not conduct testing on OPE\xe2\x80\x99s use of \xe2\x80\x9cCorporate\xe2\x80\x9d\nGovernment Travel Accounts.\n\x0cMETHODOLOGY\n\nTo achieve our objectives, we conducted interviews with OPE staff involved with the\nprocurement process, and we reviewed relevant documents. As part of our work, we\nreviewed samples of TPDs and purchase card transactions.\n\nWe judgmentally selected a sample of 65 TPDs issued between October 1998 and\nFebruary 2000 (FY 1999 and the first five months of FY 2000) from EDCAPS reports on\nOPE TPD activity. We were able to review files for 44 of the requested 65 drafts. Files\nwere not available in OPE for us to review 21 of the drafts.\n\nWe later found that some drafts issued by SFA appear on OPE\xe2\x80\x99s EDCAPS reports. The\nunderlying obligation for some drafts issued by SFA was established when SFA was a\npart of OPE. As the drafts are issued by SFA against those obligations, the drafts are\nassigned to OPE organizational codes and thus included in the EDCAPS reports on OPE\nTPD activity. We found that SFA had issued 16 of the 21 TPDs that were not available\nfor review in OPE. The remaining five drafts were issued by OPE, but the files could not\nbe located during the time of our review.\n\nCurrently, OPE has 13 purchase cardholders. We reviewed transactions by 12\ncardholders since one cardholder had no activity during the period of our review. We\nalso reviewed transactions by three former cardholders. We judgmentally selected a\nsample of monthly purchase card statements dated between December 1999 and June\n2000. Then, we selected 50 transactions to review. We also reviewed OPE monthly\npurchase card statements that were in the Financial Management Policy and\nAdministrative Programs Group files for the months of September 1999 and March 2000.\n\nWe based our conclusions about OPE's internal controls on the information gathered\nduring our interviews and transaction testing. We conducted our interviews and\ntransaction testing between April 19, 2000 and July 28, 2000. We assessed OPE's\ninternal controls based on GAO's Standards for Internal Control in the Federal\nGovernment issued November 1999. Attachment B to this memorandum contains a\nsummary of the GAO Standards. We conducted our work in accordance with the\nPresident's Council on Integrity and Efficiency Quality Standards for Inspections dated\nMarch 1993.\n\nWe appreciate the cooperation shown by your staff during our review. If you have any\nquestions regarding the results of this review, please contact me at 260-3556.\n\n\nAttachments\n\n\ncc:    Deputy Secretary\n\x0c                                                                  Attachment B\n\n          GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n                        Components of Internal Control\n\n\xe2\x80\xa2   Control Environment \xe2\x80\x93 Management and employees should establish and maintain\n    an environment throughout the organization that sets a positive and supportive\n    attitude toward internal controls and conscientious management.\n\n    Factors:\n\n    3 Management and staff maintain and demonstrate integrity and ethical values.\n\n    3 Management maintains an active commitment to competence.\n\n    3 Management\xe2\x80\x99s philosophy and operating style exert a positive influence on the\n      organization (especially toward information systems, accounting, personnel\n      functions, monitoring and audits).\n\n    3 Organizational structure is appropriately centralized or decentralized, and\n      facilitates the flow of information across all activities.\n\n    3 Agency delegates authority and responsibility and establishes related policies\n      throughout the organization in a manner that provides for accountability and\n      control.\n\n    3 Agency establishes human resource policies and practices that enable it to recruit\n      and retain competent people to achieve its goals.\n\n\xe2\x80\xa2   Risk Assessment \xe2\x80\x93 Internal controls should provide for an assessment of the risks the\n    agency faces from both external and internal sources.\n\n\xc3\xbc Precondition \xe2\x80\x93 establishment of clear and consistent agency objectives.\n\n\xc3\xbc Risk assessment \xe2\x80\x93 the comprehensive identification and analysis of relevant risks\n  associated with achieving agency objectives, like those defined in strategic and\n  GPRA annual performance plans, and forming a basis for determining how the\n  agency should manage risks.\n\n\xc3\xbc Risk identification \xe2\x80\x93 methods may include qualitative and quantitative ranking\n  activities, management conferences, forecasting and strategic planning, and\n  consideration of findings from audits and other assessments.\n\n\xc3\xbc Risk analysis \xe2\x80\x93 generally includes estimating the risk\xe2\x80\x99s significance, assessing the\n  likelihood of its occurrence, and deciding how the agency should manage its risk.\n\x0c\xe2\x80\xa2   Control Activities \xe2\x80\x93 Internal control activities help ensure that employees carry out\n    management directives. The control activities should effectively and efficiently\n    accomplish agency control objectives.\n\n    3 The control activities are the policies, procedures, techniques, and mechanisms\n      that enforce management\xe2\x80\x99s directives. They help ensure that employees take\n      actions to address risks.\n\n    3 Control activities occur at all levels and functions of the entity, and include a wide\n      range of diverse activities such as approvals, authorizations, verifications,\n      reconciliations, performance reviews, maintenance of security, and creation and\n      maintenance of related records that document the execution of these activities.\n\n\xe2\x80\xa2   Information and Communications \xe2\x80\x93 Employees should record and communicate\n    information to management and others within the entity who need it in a form and\n    within a time frame that enables them to carry out their internal control (and other)\n    responsibilities effectively and efficiently.\n\n    3 An organization must have relevant, reliable, and timely communications relating\n      to internal as well as external events. Information is needed throughout the\n      agency to achieve all its operational and financial objectives.\n\n    3 Effective communications should occur in a broad sense with information flowing\n      down, across, and up the organization.\n\n    3 Management should ensure there are adequate means of communicating with, and\n      obtaining information from, external stakeholders that may have a significant\n      impact on the agency achieving its goals.\n\n\xe2\x80\xa2   Monitoring \xe2\x80\x93 Internal control monitoring should assess the quality of performance\n    over time and ensure that audit and other review findings are promptly resolved.\n\n    3 Includes regular management and supervisory activities, comparisons,\n      reconciliations, and other actions employees take in performing their duties.\n\n    3 Should include policies and procedures for ensuring that audit and other review\n      findings are promptly resolved.\n\x0cInternal Control Evaluation Form for the Office of Postsecondary Education                                      Attachment A\n\nControl Component     Deficiencies\nControl Environment   \xe2\x80\xa2 Training \xe2\x80\x93 While most of the procurement staff we interviewed had taken simplified acquisition training,\n                         the Executive Officer had not; although he had scheduled the training, he had not been able to attend.\n                      \xe2\x80\xa2 Assignment of Authority \xe2\x80\x93 The assignment of one of OPE\xe2\x80\x99s employees as an approving official does not\n                         comply with the Department\xe2\x80\x99s Directive on Commercial Credit Card Service (C:FIM:6-102) dated\n                         March 12, 1990, which states that \xe2\x80\x9can approving official may not be a cardholder.\xe2\x80\x9d\n\nRisk Assessment       \xe2\x80\xa2   Identification of Risks \xe2\x80\x93 OPE has no formal procedures for risk assessment in the procurement area.\n\nControl Activities    \xe2\x80\xa2   Policies and Procedures \xe2\x80\x93 Although required by the Department\xe2\x80\x99s Directive on Commercial Credit Card\n                          Service, OPE has no written policies and procedures on the purchase card process. In January 2000,\n                          OPE did provide senior managers and division directors with a list of procurement \xe2\x80\x9cquestions and\n                          answers.\xe2\x80\x9d\n                      \xe2\x80\xa2   Purchase Cards \xe2\x80\x93 We reviewed the September 1999 and the March 2000 statements from OCFO files.\n                          Our purpose was to verify that OPE had submitted all its monthly card statements with activity to OCFO\n                          and that the approving official had signed the card statements to support OCFO\xe2\x80\x99s Department-wide\n                          payments. We also judgmentally selected and reviewed 50 purchase card transactions.\n                          \xe2\x99\xa6 Approval of monthly purchase card statements:\n                             \xe2\x80\xa2 For September 1999, ten cards had activity. Five statements were missing from OCFO files.\n                                 Four were not signed by the approving official.\n                             \xe2\x80\xa2 For March 2000, ten cards had activity. Two statements were missing from OCFO files. Two\n                                 were not signed by the approving official.\n                          \xe2\x99\xa6 Preapproval \xe2\x80\x93 We did not find evidence of preapproval on the supporting documentation for 49 of the\n                              50 transactions we selected to review.\n                          \xe2\x99\xa6 Authorization \xe2\x80\x93 The balance on one card exceeded the cardholder\xe2\x80\x99s monthly purchase limit by\n                              $234.09.\n                          \xe2\x99\xa6 Documentation \xe2\x80\x93 The supporting documents were missing for one transaction of $33.45.\n                          \xe2\x99\xa6 Recordkeeping \xe2\x80\x93 We were unable to trace four of the transactions we selected to review to EDCAPS\n                              because EDCAPS transaction numbers were not listed next to the charges on the card statements.\n\x0cControl Component   Deficiencies\n                    \xe2\x80\xa2 Third Party Drafts (TPDs) \xe2\x80\x93 Files were not available for 21 of the 65 TPDs that we judgmentally selected\n                       to review from an EDCAPS report on OPE\xe2\x80\x99s TPD activity. Sixteen of those drafts were determined to\n                       belong to SFA.\n                       \xe2\x99\xa6 Documentation \xe2\x80\x93 Files were not available for five TPDs during our review.\n                       \xe2\x99\xa6 Compliance/Prompt Payment \xe2\x80\x93 Out of the 44 invoices we reviewed, 15 do not appear to have been\n                           paid timely as required by the Prompt Payment Act.\n                       \xe2\x99\xa6 Date Stamping \xe2\x80\x93 The invoices were not date stamped for 25 of the 44 transactions.\n                       \xe2\x99\xa6 Approval \xe2\x80\x93 One Form 1164 (employee reimbursement) was not signed by the approving supervisor.\n\nInformation &       \xe2\x80\xa2   Communication of Key Information \xe2\x80\x93 The procurement staff we interviewed were not familiar with the\nCommunications          Department\xe2\x80\x99s Directive on Commercial Credit Card Service.\n                    \xe2\x80\xa2   Reporting \xe2\x80\x93 The EDCAPS reports on OPE\xe2\x80\x99s TPD activity include drafts issued by SFA.\n\nMonitoring          \xe2\x80\xa2   On-going Monitoring \xe2\x80\x93 The supervisor of the individual with signature authority for TPDs does not\n                        perform periodic reviews of the drafts issued by OPE.\n\x0c"